Pay your membership fee Change Practice Details

Information and Technology Checklist for telehealth

Telehealth is healthcare services delivered via telecommunication, enabling for long distance consultation on clinically suitable situations. Thus, it is essential to ensure this is done securely without introducing unnecessary privacy, security or legal risks.

To help practitioners choose and implement safe and effective online audio/video collaboration tools for the purpose of providing telehealth consultations in accordance Medicare Benefits Schedule (MBS), and Australian Cyber Security Centre (ACSC) guidelines. The checklist below provides guidance on both selection criteria to select a telehealth conferencing solution and how to use it securely.

Key messages:

  • It is important to ensure that telehealth software solutions are implemented securely
  • It is important to establish cyber security expectations with your suppliers, monitor and audit them for compliance
  • Telehealth software solutions should be researched properly before being implemented in your practice.

Selecting a web conferencing solution

  • The service provider is based in Australia
  • The service provider stores data in Australia
  • The service provider has an acceptable track record of actions in response to privacy and cyber security issues
  • The following requirements are specified and met by the service provider:
      • Privacy
      • Security
      • Organisation’s legal requirements
  • Information and metadata collection processes by the service provided are known
  • The service provider uses strong end-to-end encryption
  • The service provider uses passcode and meeting ID
  • The service provider has good reliability and scalability in times of increased demand
  • The service provider meets these requirements for any free version that may be used by patients

Using web conferencing solution

  • The web conferencing solution has been configured securely
    • Security features have been reviewed
    • Default security settings have been configured to meet organisational security needs
    • Staff using the web conferencing solution on personal devices have applied all security patches for their devices
  • A password manager is used for passwords and pins
  • Meetings are held securely by ensuring:
    • Invitations, website links and access credentials are sent separately via email or encrypted messaging apps
    • Website links or credentials have not been shared on publicly accessible websites or social media
  • any access credentials are updated periodically
  • Only invited participants can join a meeting
  • Meetings are locked once all participants are present
  • In phone meetings, sounds or visual notifications indicating that participants are joining the meeting re tracked, any unknown participants are asked to identify themselves.
  • any participant who is unable to appropriately identify themselves is disconnected
  • Services are from a private and secure physical space:
    • Use a private location or headphones if a private location isn’t possible
    • If video is used, position cameras so they only capture participants’ faces. Alternatively, consider using background blurring features if they are available
    • Limit discussions to those approved to be conducted using a web conferencing solution
  • If telehealth consultations require to be fully or partially recorded, processes must be in place to document the following:
    • Discussion with patient to ensure understanding of:
      • reasons and benefits of the recording
      • storage and management of the recording.
    • Upfront disclosure how the recording will be used (clinical assessment, research, training, etc)
    • Consent of recording for the intended purpose
    • Appropriate secure storage of file recording
    • Documentation of the consultation and method of recording.

Using email

  • Service provider is targeted toward business and/or commercial purposes
  • Service provider offers:
    • End-to-end encryption
    • Two factor authentications
    • Message recall or message self-destruct feature.
  • If existing email solution doesn’t offer end-to-end encryption, send clinical information only in encrypted email attachments or password protected PDFs.

 

Reference

Web Conferencing Security – Australian Cyber Security Centre (ACSC)

Privacy Checklist for Telehealth Services - MBS